How to… > Use rights aggregation vs. rights inheritance

User Management rights repository support two approaches for implementing role base access rights:

•Rights aggregation, i.e. one user may have multiple roles respectively max be member of multiple User Groups. The rights from each of the roles then get aggregated (logical OR operator is used),

•Rights inheritance, i.e. a User Group may have a parent group. The User Group will inherit rights (e.g. grouprights for projects) and restrictions from its parent group.

You may either use the first or the second approach.

Note: It is not recommended to mix both approaches because it will get hard to check effective user rights then for administrators.

To understand the right aggregation of the SynerGIS rights repository it is important to understand, that there are 3 statuses:

A.Restriction with defined restriction rules

B.Restriction with NO restriction rules = right

C.No restriction

If a user is member of several groups, the right aggregation works like this:

A+A=A

A+B=B

A+C=A

B+C=B

A+B+C=B

Example for Restrictions for Layers (using Attributive Filters):

Case A: Restriction with defined restriction rule - functional restrictions (no attributive search, no editing) and assigned attributive filter (PLZ='6900').

Look in Effective Grouprights Report: